Configure security features of a virtual firewall on an AR router

7

The procedure of configuring security features for a virtual firewall is the same as that of configuring for a common firewall. Each firewall must be separately deployed to meet different firewall service requirements. Security features that can be configured include: packet filtering firewall, ASPF, port mapping, session table aging time, and attack defense.
Before configuring the following features, specify a VPN instance: manually adding a blacklist/whitelist and configuring ICMP/SYN/UDP flooding defense. The configured features take effect to the firewall only according to the specified VPN instance.
For details about the command for configuring security features of a virtual firewall, see the URL: The AR router configures the security features of the virtual firewall .

Other related questions:
Configure VPN instances on an AR router to configure virtual firewalls
A virtual firewall is implemented by configuring a VPN instance. A VPN instance corresponds to one virtual firewall. Before configuring a virtual firewall, create a VPN instance first, and then bind an interface with the VPN instance. Interfaces that have the same VPN instance belong to a same virtual firewall, and security policies can be deployed separately for the virtual firewall. Operation procedure Run the system-view command to access the system view. Run the ip vpn-instance vpn-instance-name to create a VPN instance and access the VPN instance view. (Optional) Run the description description-information command to record the descriptive information of the VPN instance. Run the route-distinguisher route-distinguisher command to configure a routing label for the VPN instance. After a VPN instance is created, specify a routing label for the VPN instance; otherwise, subsequent configuration cannot be performed. Run the interface interface-type interface-number command to access the interface view. Run the ip binding vpn-instance vpn-instance-name command to bind an interface with the VPN instance. Bind an interface with the VPN instance, and then configure an IP address for the interface. Otherwise, the configured IP address will be deleted, and you will need to reconfigure an IP address for the interface. Run the ip address ip-address { mask | mask-length } command to configure an IP address for the interface.

Configuring virtual routers on the firewall
Perform as follows to configure virtual routers on the firewall: You can configure a virtual router to isolate VPN routes. 1. Choose Network > Route > Virtual Route. 2. In Virtual Router List, click Add. 3. Enter the name of the virtual router to be created. 4. Click OK. If the new virtual router entry is displayed, the operation succeeds.

WLAN security of AR routers
WLAN security is as follows: User access security: Link authentication, access authentication, and data encryption are used to ensure validity and security of user access on wireless networks. Service security: This feature protects service data of authorized user from being intercepted by unauthorized users during transmission. For details, see WLAN Security Configuration.

How to configure a virtual address of VRRP on an AR router
How to configure a virtual address of VRRP on an AR router? The vrrp vrid virtual-router-id virtual-ip virtual-address command is used to create a VRRP group and specify a virtual IP address for the group. The vrid virtual-router-id command is used to specify a VRRP group number which is an integer in the range from 1 to 255. The virtual-ip virtual-address command is used to specify a virtual IP address (dotted decimal notation) for the VRRP group. [Huawei] interface gigabitethernet 1/0/0 [Huawei-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 10.10.10.10 //Create a VRRP group on GE1/0/0. The group number is 1, and the virtual IP address is 10.10.10.10.

Configure the ASPF firewall on an AR router
The application specific packet filter (ASPF) firewall can detect and filter FTP, HTTP, SIP, and RTSP packets on the application layer. The ASPF firewall filters packets on the application layer based on status. This firewall can detect application layer session information that attempts to pass the firewall, and prevent packets that do not match rules from passing the firewall. After the ActiveX Blocking is configured, the ASPF will block the ActiveX that is transmitted over HTTP, preventing users from installing insecure or malicious controls. After the Java Blocking is configured, the ASPF will block requests that are sent in order to obtain programs containing the Java Applet from web pages. In the system view: 1. Run the firewall interzone zone-name1 zone-name2 command to access the interzone view. 2. In V200R006 and earlier versions, run the detect aspf { all | ftp | http [ activex-blocking | java-blocking ] | rtsp | sip } command to configure the ASPF firewall. In V200R007, run the detect aspf { ftp | rtsp | sip } command to configure the ASPF firewall. Most of the application layer protocols have bidirectional interaction processes. Therefore, during ASPF configuration, ignore directions, and the router automatically checks the status of inbound and outbound packets. By default, the ASPF firewall is not configured for the interzone. 3. Check the configuration result. Run the display firewall interzone [ zone-name1 zone-name2 ] command to query ASPF information about the interzone.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top